Vulnerability	Vulnerable Version
H Incorrect Authorization io.quarkus:quarkus-vertx-http is a Cloud Native, (Linux) Container First framework for writing Java applications. Affected versions of this package are vulnerable to Incorrect Authorization when handling HTTP request paths that have had `normalizedPath()` applied. An attacker can gain unauthorized access to protected resources by appending a semicolon and arbitrary text to the request URL, exploiting inconsistencies between the security layer and routing layer in path normalization. Endpoints are matched for authorization purposes with their trailing matrix parameters, so `/api/admin;anything` successfully matches `/api/admin`, but routing rules are applied to the endpoint without matrix parameters, bypassing policies. How to fix Incorrect Authorization? Upgrade `io.quarkus:quarkus-vertx-http` to version 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.34.7, 3.35.1 or higher.	[,3.20.6.1)[3.21.0,3.27.3.1)[3.28.0,3.33.1.1)[3.34.0.CR1,3.34.7)[3.35.0.CR1,3.35.1)

Incorrect Authorization

io.quarkus:quarkus-vertx-http is a Cloud Native, (Linux) Container First framework for writing Java applications.

Affected versions of this package are vulnerable to Incorrect Authorization when handling HTTP request paths that have had normalizedPath() applied. An attacker can gain unauthorized access to protected resources by appending a semicolon and arbitrary text to the request URL, exploiting inconsistencies between the security layer and routing layer in path normalization. Endpoints are matched for authorization purposes with their trailing matrix parameters, so /api/admin;anything successfully matches /api/admin, but routing rules are applied to the endpoint without matrix parameters, bypassing policies.

How to fix Incorrect Authorization?

Upgrade io.quarkus:quarkus-vertx-http to version 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.34.7, 3.35.1 or higher.

[,3.20.6.1)[3.21.0,3.27.3.1)[3.28.0,3.33.1.1)[3.34.0.CR1,3.34.7)[3.35.0.CR1,3.35.1)

Go back to all versions of this package